Path Traversal Vulnerability in OpenClaw Canvas by OpenClaw
CVE-2026-3689

6.5MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 11 April 2026

What is CVE-2026-3689?

The OpenClaw Canvas is susceptible to a path traversal vulnerability that permits remote attackers to disclose sensitive information. This weakness arises from inadequate validation of user-supplied path parameters before they are processed in file operations. Although authentication is mandatory for exploitation, an attacker could exploit this flaw to access the service account's information, thereby compromising the confidentiality of the data. This issue has been documented as ZDI-CAN-29312 and requires immediate attention to mitigate potential risks.

Affected Version(s)

OpenClaw openclaw 2026.2.17

References

https://www.zerodayinitiative.com/advisories/ZDI-26-227/

x_research-advisory

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

CVSS V3.0

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Mar 7, 2026

CVE-2026-3689 Data

JSON

Openclaw

What is CVE-2026-3689?

Affected Version(s)

References

CVSS V3.0

Timeline